CVE-2026-43205 Overview
CVE-2026-43205 is an out-of-bounds write vulnerability in the Linux kernel's dpaa2-switch driver. The driver retrieves sw_attr.num_ifs from firmware via dpsw_get_attributes() but fails to validate the value against DPSW_MAX_IF (64). This unchecked value drives iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop writes past the array bounds, corrupting adjacent kernel memory.
Critical Impact
A compromised or malicious firmware reporting num_ifs >= 64 triggers a kernel-space out-of-bounds write, leading to memory corruption and potential denial of service or privilege escalation on systems using the dpaa2-switch driver.
Affected Products
- Linux kernel versions containing the dpaa2-switch driver prior to the patches referenced in the kernel.org advisories
- Systems running NXP DPAA2 (Data Path Acceleration Architecture) Ethernet switch hardware
- Embedded and networking platforms using the drivers/net/ethernet/freescale/dpaa2 switch driver
Discovery Timeline
- 2026-05-06 - CVE-2026-43205 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43205
Vulnerability Analysis
The dpaa2-switch driver manages NXP Data Path Acceleration Architecture v2 Ethernet switch interfaces. During initialization, the driver calls dpsw_get_attributes() to obtain switch configuration from firmware, including the num_ifs field that indicates the number of switch interfaces. The driver trusts this value implicitly and uses it to drive iteration over fixed-size kernel arrays.
The critical code path resides in dpaa2_switch_fdb_get_flood_cfg(). This function iterates num_ifs times, populating the cfg->if_id[] array, which is sized at DPSW_MAX_IF (64) entries. After the main loop, the function appends the control interface index at position num_ifs. When num_ifs == 64, this trailing write overflows the array by one entry. When num_ifs > 64, the main loop itself overflows multiple entries.
A secondary defense in build_if_id_bitmap() silently drops any ID greater than or equal to 64, but this protection executes after the corrupting writes have already occurred.
Root Cause
The root cause is missing input validation [CWE-787 Out-of-Bounds Write] on firmware-supplied data. The driver does not enforce that num_ifs < DPSW_MAX_IF before using the value as a loop bound. The fix adds a bound check using >= rather than > because num_ifs == DPSW_MAX_IF is also functionally broken due to the trailing control-interface write.
Attack Vector
Exploitation requires the firmware to report a malformed num_ifs value of 64 or greater. This is not directly reachable from unprivileged userspace. The threat model covers compromised firmware, malicious hardware, supply-chain attacks against DPAA2 firmware images, or developer error during firmware modification. Successful exploitation results in kernel heap or stack corruption depending on the allocation context of cfg.
Code-level exploitation details are described in the upstream commits. See the kernel.org commit references for the validating patch.
Detection Methods for CVE-2026-43205
Indicators of Compromise
- Kernel oops or panic messages referencing dpaa2_switch_fdb_get_flood_cfg or dpaa2_switch_init in dmesg or system logs
- KASAN (Kernel Address Sanitizer) reports of out-of-bounds writes within the dpaa2 switch driver call path
- Unexpected dpaa2-switch driver initialization failures or num_ifs values exceeding 64 in driver debug output
Detection Strategies
- Audit running kernel versions on DPAA2-equipped hardware against the patched commit hashes published on kernel.org
- Enable KASAN or KFENCE on test systems running the dpaa2-switch driver to catch out-of-bounds writes during fuzzing of firmware-supplied attributes
- Monitor kernel logs for warnings introduced by the validation patch when firmware reports invalid num_ifs values
Monitoring Recommendations
- Centralize kernel log collection from embedded networking platforms and alert on dpaa2-switch initialization errors
- Track kernel package versions across the fleet and flag systems lagging behind upstream stable releases
- Validate firmware images for DPAA2 hardware against known-good vendor checksums before deployment
How to Mitigate CVE-2026-43205
Immediate Actions Required
- Update affected Linux kernels to a stable release containing the dpaa2-switch: validate num_ifs to prevent out-of-bounds write fix
- Inventory all systems using NXP DPAA2 switch hardware and prioritize patching of production networking gear
- Verify firmware integrity on DPAA2 platforms and restrict firmware update channels to trusted vendor sources
Patch Information
The upstream fix adds a bound check for num_ifs against DPSW_MAX_IF in dpaa2_switch_init(), rejecting any value greater than or equal to 64. The fix has been backported across multiple stable trees. Review the following commits: 89764cf44544, 8a5752c6dcc0, 8b841fd529db, a26dda3bae46, a3034a8d5617, b690635d4719, and c18493f75020.
Workarounds
- If patching is not immediately possible, blacklist the dpaa2-switch kernel module on systems where switch functionality is not required
- Restrict physical and management access to DPAA2 hardware to prevent firmware tampering
- Pin firmware images to verified versions and disable runtime firmware reload paths where feasible
# Blacklist the dpaa2-switch module until patches are applied
echo "blacklist dpaa2_switch" | sudo tee /etc/modprobe.d/blacklist-dpaa2-switch.conf
sudo update-initramfs -u
# Verify running kernel version against patched stable releases
uname -r
# Check if dpaa2-switch is currently loaded
lsmod | grep dpaa2_switch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
